[iptables PATCH 3/3] libxtables: Boost rule target checks by announcing chain names

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: [iptables PATCH 3/3] libxtables: Boost rule target checks by announcing chain names
Date: Wed, 16 Mar 2022 18:44:43 +0100	[thread overview]
Message-ID: <20220316174443.1930-4-phil@nwl.cc> (raw)
In-Reply-To: <20220316174443.1930-1-phil@nwl.cc>

When restoring a ruleset, feed libxtables with chain names from
respective lines to avoid an extension search.

While the user's intention is clear, this effectively disables the
sanity check for clashes with target extensions. But:

* The check yielded only a warning and the clashing chain was finally
  accepted.

* Users crafting iptables dumps for feeding into iptables-restore likely
  know what they're doing.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 include/xtables.h           | 3 +++
 iptables/iptables-restore.c | 1 +
 iptables/xtables-restore.c  | 1 +
 libxtables/xtables.c        | 6 ++++++
 4 files changed, 11 insertions(+)

diff --git a/include/xtables.h b/include/xtables.h
index ca674c2663eb4..816a157d5577d 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -645,6 +645,9 @@ const char *xt_xlate_get(struct xt_xlate *xl);
 #define xt_xlate_rule_get xt_xlate_get
 const char *xt_xlate_set_get(struct xt_xlate *xl);
 
+/* informed target lookups */
+void xtables_announce_chain(const char *name);
+
 #ifdef XTABLES_INTERNAL
 
 /* Shipped modules rely on this... */
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 1917fb2315665..4cf0d3dadead9 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -308,6 +308,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
 						cb->ops->strerror(errno));
 			}
 
+			xtables_announce_chain(chain);
 			ret = 1;
 
 		} else if (in_table) {
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index c94770a0175eb..8ee0bb91f7d44 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -155,6 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
 				   "%s: line %u chain name invalid\n",
 				   xt_params->program_name, line);
 
+		xtables_announce_chain(chain);
 		assert_valid_chain_name(chain);
 
 		policy = strtok(NULL, " \t\n");
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 49790046a79d8..60e7c6e90b448 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -321,6 +321,12 @@ static void notargets_hlist_insert(const char *name)
 	hlist_add_head(&cur->node, &notargets[djb_hash(name) % NOTARGET_HSIZE]);
 }
 
+void xtables_announce_chain(const char *name)
+{
+	if (!notargets_hlist_lookup(name))
+		notargets_hlist_insert(name);
+}
+
 void xtables_init(void)
 {
 	/* xtables cannot be used with setuid in a safe way. */
-- 
2.34.1

next prev parent reply	other threads:[~2022-03-16 17:44 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-16 17:44 [iptables PATCH 0/3] Speed up restoring huge rulesets Phil Sutter
2022-03-16 17:44 ` [iptables PATCH 1/3] nft: Reject standard targets as chain names when restoring Phil Sutter
2022-03-16 19:11   ` Florian Westphal
2022-03-16 17:44 ` [iptables PATCH 2/3] libxtables: Implement notargets hash table Phil Sutter
2022-03-16 19:13   ` Florian Westphal
2022-03-16 17:44 ` Phil Sutter [this message]
2022-03-16 19:13   ` [iptables PATCH 3/3] libxtables: Boost rule target checks by announcing chain names Florian Westphal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ca674c2663eb dfblob:816a157d5577 dfblob:1917fb231566
dfblob:4cf0d3dadead dfblob:c94770a0175e dfblob:8ee0bb91f7d4
dfblob:49790046a79d dfblob:60e7c6e90b44 )
 OR (
bs:"[iptables PATCH 3/3] libxtables: Boost rule target checks by announcing chain names" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220316174443.1930-4-phil@nwl.cc \
    --to=phil@nwl.cc \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).